gh0strat | 49d93e4b21fe4e5f552b08cc722d93fb1ca1f2e3b9c6834ee412424026d94a87

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Size

153KB
MD5

2f22043d6b0d52119ecdf1f845767d7a
SHA1

86ac460ac78b4adffea5d46fba40091f16825418
SHA256

49d93e4b21fe4e5f552b08cc722d93fb1ca1f2e3b9c6834ee412424026d94a87
SHA512

ede5ec5c21fb1cf1d19b529d9edf39773e28cf517b6e74782750ed17f625718489a3797b0f4722ea86d0b40ed76aafe36931102405f669662fc741a26060489d
SSDEEP

3072:L0I5+JNTKhn6s5Yv4BAalyeMV4PMAkZz3JQf1CkNE66hc5Jeqovhe:QJJNCev4BLyeq5z5fkuXcJeqoQ

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/1692-0-0x0000000000400000-0x0000000000427498-memory.dmp	family_gh0strat
behavioral2/files/0x0006000000023287-3.dat	family_gh0strat
behavioral2/memory/1692-6-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral2/files/0x000d000000023402-13.dat	family_gh0strat
behavioral2/memory/848-15-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral2/memory/1692-18-0x0000000000400000-0x0000000000427498-memory.dmp	family_gh0strat
behavioral2/memory/1692-19-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
848	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
848	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
556	1692	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeBackupPrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
Token: SeRestorePrivilege	1692	2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f22043d6b0d52119ecdf1f845767d7a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 432
  2⤵
  - Program crash
  PID:556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1692 -ip 1692
1⤵
PID:3580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3173700.dll

Filesize
122KB

MD5
507a5229363d13c8f4f6361cf4d135fe

SHA1
6bd05a3d4dc024e2d61bb82c2368b0360d1e6565

SHA256
692a09cc6008cb51cb43831227bdaea7c4b4ab67f9dbbad5a6325f0edb780e3b

SHA512
da63e5919c0e7561854aaf4c4791e8fbdebd439e6e09aee5237d8d8bed248579b66c957d06839ebdead6efee48c2d4a40845e9b09acdc20381c7bd4cd7035658

Download Submit
\??\c:\NT_Path.jpg

Filesize
99B

MD5
fc336aaaac07ad0ef962e8ab036b9693

SHA1
7e251cd1c4a7ae8976e2b1a58d5c9dc196c9c79d

SHA256
0cbc54c2f7d13453608e64a4c48977d944213fed981740cac072fc664ce16735

SHA512
e07a2a5e14d26532e3ba321d8fca3fa3c57c6f9b2298b834bb181a00e28e58fd68266e854a1a97b3aed236d03a10a193f6ab06db26e38b133970eee823d782c5

Download Submit
\??\c:\program files (x86)\oklm\tklmnopqr.jpg

Filesize
14.8MB

MD5
3062f7dedeb9602fe78b0090b338f097

SHA1
3f7c071689189f643b43b8f77db2c105470e3d81

SHA256
6fb058c7f8e80f21edabb5a8366f662b7f8ca0e527628b088ca835e995525f03

SHA512
d116556833b1bb343c06a0adc88759d7d3f24fd2fa021faa66acb8eb9b8b80e0f4b406ad4ac08af457dc25e68714cad4aa65205139358cff676205d1c61f3713

Download Submit
memory/848-15-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1692-0-0x0000000000400000-0x0000000000427498-memory.dmp

Filesize
157KB

Download
memory/1692-6-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1692-18-0x0000000000400000-0x0000000000427498-memory.dmp

Filesize
157KB

Download
memory/1692-19-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download